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In the Claims 

1. (Currently Amended) A conrpute-unplementcd method for Bering security 
event data and rendering result data in a manageable formal comprising the steps of: 

generating a plurality of alerts will, a plurality of security devices at a Jtat 

location; 

lUMirirtinr nnr ^ " " r™ Me fm &mWzit "' flTld fi1teri " B 

^ the variab '- ™™™«in g t least on e of a location of a security event , a sourcaof 
„.■■„, itvrvent adestir ^ «**~« nf thp ^mitv event a sec urity PVfflit type, a priority of a 
irn . n<y MMWt| *«A m Mmlincatkm of a a va trm that d etected a security event; 

creating scope criteria by a dju sting selecting one or mo re of the variables operable 
for analyzing and GUsrin e security event data, the security event dam comprising fhc plurality of 
alerts, 

colleduie the security event data generated by Hie plurality of security devices 

located at the first location; 

storing flu: collected security event data at a second location; [[and]] 

analyzing and filtering the culled security event data with the scope criteria to 

produce result dat a, tho mault dale ooooos ible by a plurality of clienrc . 

fr flHEmittuifl the result data u» une or more clients; and 

displaying the re sul t data comorisine filtered alcrN l^cd cm the scope criteria. 

2. (Original) The method of Claim 1 , further comprising storing one or more of the 
scope criteria and the result data. 

3. (Original) The rorihikl or Claim 1, wherein the first location is a distributed 
ciTniiiuling envkotrment and the second location is a database server. 
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(Original) The method of Claim 1. wherein collecting the security event data 

generating security event data from a sensor, 

sending the security event data ftom the sensor to a euller.tnr; and 

converting the event data to a common format 
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5. (Original) The method of aaim 1, wherein the analyzing is perfoimed at an 
application server to which the plurality of clients arc coupled 

6. (Original) The method of Claim 1, further couiprismg searching the stored 
security event data for additional mfir irmatian identifying a security event 

7. (Original) The method of Claim 1 „ further comprising: 
polling a database 6«rver for current stored security event data; 

analyzing the current stored security event data to produce current result data; and 
rendering the current result data. 
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8. (Original) The method of Claim 1, further comprising polling fur messages 
containing infbimation about snipe criteria, security event data,, or result data. 

9. (Origioal) The method of Claim 1, further oompnsmg pushing messages to a 
client wherein the messages contain information about scope criteria, security event data, or 
result data. 

10. (Original) The method of Claim 1, wherein the step of rendering result data 
comprises presenting the result data in a chart format. 

11. (Original) The method of Claim 1, wherein in resputisc to analyzing the collected 
security event data, an action is executed. 
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11 (Original) the method of Claim 11, wherein ihe artinn is clearing security event 
data from storage. 
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13. (Original) The method of Claim 11, wherein the action is creating an incident 
from result data for preparing a response. 

14. (Original) The method Of Claim 1, wherein dir. step of collecting security event 
data further comprises converting the data to a uniform format, 

15. (Original) A computer-readable medium having computer-executable instructions 
for pertbrmins the steps recited in Claim 1 . 
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16. (Currently Amended) A method for managing security event data collected from a 
plurality of security devices in a distributed computing euviionnient comprising the steps of: 
generating a plurality of alerts with the plurality of security devices at a first 

location; 

providing one or more variables opera ble for analyzing and filterinR security 
event data, the v ariables comprising at least one, nf a ligation of a security event, a s ource of 
c^uritv event. * destination address of the ^^t 1 a eeciiritv event type, a priority of a 

gywritv event and an identification of a system th at detected a security event; 

creating scope criteria by adjusting selecting one or more of the variables operable 
for ana lyzing and filtering security event data, the security event data comprising the plurality of 
alerts; 

collecting security event data at a second location; Hand)] 
applying the scope criteria to the security event data at a lliiitl location to produce 
[[a]] result data, tbi> ruuult occofifiiWo by a plurality of ohento oouplod t o a servers 
transmitting t he result data to one or more clients: and 
displaying thr insult data comprising filtered alcr t$ based on the scope criteria. 

17. (Original) The method of Claim 16, further comprising rendering the result in a 
rendering for output to a client 

18. (Original) The method of Claim 16, wherrm the first location is a distributed 
computing environment. 

19. (Original) The method of Claim 16, wherein the second location is a database 

server. 



20. (Ori&Iual) The method of Claim 16, wherein the third location is an application 
server coupled to the plurality of clients. 
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2 1 . (Original) The method of Claim 1 6, further comprising storing one or more nf the 
scope criteria, the security eveol dai^ arid 11 ic result in a database. 

22. (Original) The method of Claim 16, further comprising executing an action at the 
server in response to producing the result 

23. (Original) The method of Claim 22, wherein the action is clearing stared security 
event data. 

24. (Original) The method of Claim 22, wherein the action is creating an incident 
from a result 
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2>. (Original) The method of Claim 16, further comprising applying additional scope 
cdtftfia to a plurality of results. 

(Oi Iginal) A computer-readable medium having computer-executable instructions 
for performing the steps recited in Claim 1$. 
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27. (Currently Amended) A campulcr-iiuplcsuieuted system for managing security 
event data collected from a plurality of security devices comprising: 

a plurality of security devices opeiable for generating security event data 
comprising a plurality of alerts; 

an event manajjRr cnupled In llie security devices, the event manager operable for 
collecting security event data from the security devices and analyzing and filtering the security 
event data with scope criteria comprising n plurality nf one or more defincablc variables operable 
for analyzing and filter ing the security event dat a, the variables comprising at least one of a 
location of a security evenL a source of security event, a destinatio n address of the security 
event a security event tvoe. a priority of a security event, and an identifica tion of a system thai 
delected a semi hy event and the event mapper (fflEn }M c for applying the scone criteria to the 
security event data to produce result data: and 

a client one or more clients coupled to the event manager operable to perform an 
action in response to receiving analyzed security event data from the event manager aid 
displaying the result 6*** rnmp mi ng filtered alerts based on the scone criteria . 

28. (Previously Amended) The system of Claim 27, wherein the event manager 
comprises a database server operable for storing the collected security event data and the 
analyzed security event data. 

29. (Original) The system of Claim 27, wherein the event manager comprises an 
application server operable fur creating an incident iruiii the security event data fox preparing a 
response. 



30, (Original) The system of Claim 27, wherein the security devices are coupled to a 
distributed computing network. 
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31. (Original) The ayatcm of Claim 27, wherein multiple clients operable for 
receiving analyzed security data are coupled to the evenL manager. 

32. (Original) The method of Claim 27, wheitriu the action performed hy the client is 
rendering a chart containing analyzed security event data. 

33. (Original) The method of Claim i, further comprising the step of rendering the 
result data in a manageable format foi: the plurality of clients. 
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34, (Currently Amended) A uouiputCT-unplemcntcd method for gathering security 
event data and rendering result dala in a manageable format comprising the steps o£ 

generating a plurality of alerts with a plurality of security devices at a first 

location; 

providing one or more variables operable Pot analyzing a nd filtering security 
event data, the variables comprising a t least one of a location of a security event, a source of 
flBcnritv event a destination address of flic security ftvftnt. a security event tvee a priority of a 
security event and an identificatio n of a flVBtem that detected a security event; 

Creating scope criteria by » Jjtmting selecting one or more of the variables operable 
for analyzing and filtering security event data, the security event data comprising the plurality or 
alerts; 

collecting the accurity event data at a second location; 

analyzing and JHlerinp. the collected security event data with the scope criteria at a 
third location to produce result data, tfee*esult data accessib lo by a plurality of clionic; and 
transmitting the lesolt. data, tn one or more clients: and 

rendering the result data, in a manageable format for the plurality of one or more 

clients. 



35. (Original) The method of Claim 34, fur ther comprising storing one or more of the 
scope criteria, the security event data, and the result data. 

36. (Original) The method of Claim 34> wherein the first location is a distributed 
computing environment, the second location is a database server, and the third location is an 
application eerver to which the plurality of clients are coupled. 



37, (Original) The method of Claim 34, further comprising editing The scope criteria. 

38. (Original) The method of Claim 34, further comprising converting the collected 
security event data to a common format 
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39. (Original) The method of Claim 35, further compnang searching the stored 
security event data fox additional information identifying a security event 

40. (Original) The method of Claim 35, further comprising: 
polling a. database server for current stored security event data; 

analyzing the current stored security event data to produce cuetfjiI result data; and 
rendering the current result data. 

41. (Original) The method of Claim 34, further comprising polling for messages 
containing information about scope criteria, security event data, or result data. 

42. (Original) The inediud of Claim 54, furlhei comprising pushing messages tn a 
client wherein the messages contain information about scope criteria, security event data, or 
resuft data. 

45. (Original) The method of Claim 34, wherein the step of rendering the result data 
comprises presenting the result data in a chart format. 

44. (Original) The method of Claim 34. wherein in response to analyzing the 

collected sen iri ty even I. data, an action i 8 executed . 

45. (Original) The method of Claim 44, wherein the antku) is clearing security emit 
data from storage. 

46. (Original) The method of Claim 44, wherein the action is creating an incident 
from result data for preparing a respouse. 
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47, (Original) The method of Claim 34, wherein the step of collecting security event 
data further comprises converting the data to a uniform format, 

48. (Original) A computer-readable medium having computer-executable instructions 
for performing the steps recited in Claim 34. 
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49. (Currently Amemtal) A nieltiud for managing security event data collected from a 
plurality of security devices in a distributed computing environment comprising the steps of: 

generaLing seeiuity event data with a plurality of security devices, the security 
event data oomprismg a plurality of alerts; 

transferring tlic security event data for storage in a database; 

applying a scope criteria comprising a plurality of one or more definable 
variables to Hue security evert data for analyzing and filtering the socurity event data to produce a 
result, t he variables comprising at least one of a location of a security event, a source of security 
event a destination address of thq security event a security event type , a priority of a security 
event and an identification of a system that detected a security event: [[and]] 

accessing the result with one or more clients coupled to an application serve r, and 

displaying the result data comprising filtereil alerts basal tm (lie scone criteria, 

50. (Original) The method of Claim 49, further comprising rendering the result Let a 
rendering for output to the clients. 

51. (Original) The method of Claim 49, further comprising the step of creating the 
scope ciiteria for filtering tlie security event data. 

52. (Original) The nielliod of Claim 49, Anther comprising the slqi of editing the 

scope criteria. 
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53. (Original) The method of Claim 49, further comprising converting the security 
event data to a uniform formal. 

54. (Original) The method of Gaim 49, further comprising storing one or more of the 
scope criteria, the security event data, and the result in a database. 
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55. (Original) The inellwd of Claim 49, wherein in response to producing a result, an 
action is executed. 

56. (Original) The method of Claim 55, wherein the action is clearing stored security 
even! data. 

57. (Original) The method of Claim 55, wherein the action is creating an incident 
from a result. 
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58. (Original) The method of Claim 49, fhrther comprising applying additional scope 
criteria to a plurality of results. 



59, (Original) A computer-readable medium having computer-executable instructions 
for performing the steps recited in Claim 49. 
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